Ferreteria/sql/user session: Difference between revisions

From Woozle Writes Code
Jump to navigation Jump to search
(security note)
(ID_Order field)
Line 3: Line 3:
** '''2009-06-18''' design started - first draft, not sure concept is right
** '''2009-06-18''' design started - first draft, not sure concept is right
** '''2009-07-10''' each session ties to a cart, not vice-versa; Token is now a random string
** '''2009-07-10''' each session ties to a cart, not vice-versa; Token is now a random string
** '''2011-02-07''' fixing bug where user gets the same cart again after placing an order:
*** '''ID_Cart''' is now cleared when cart is converted to an order, so that same cart won't get reloaded
*** '''ID_Order''' field so we can still pull up the order when ID_Cart is cleared
*** Remember, this is the ''active'' cart. After cart is converted to an order, it is no longer active.
* '''Relations''':
* '''Relations''':
** Each {{vbzcart|table|shop_client}} has one or more {{vbzcart|table|shop_session}}s
** Each {{vbzcart|table|shop_client}} has one or more {{vbzcart|table|shop_session}}s
Line 21: Line 25:
   `ID_Client`  INT    NOT NULL COMMENT "shop_client.ID",
   `ID_Client`  INT    NOT NULL COMMENT "shop_client.ID",
   `ID_Cart`    INT DEFAULT NULL COMMENT "shop_cart.ID currently active for this session",
   `ID_Cart`    INT DEFAULT NULL COMMENT "shop_cart.ID currently active for this session",
  `ID_Order`    INT DEFAULT NULL COMMENT "order ID to which cart was converted (if any)",
   `Token`      VARCHAR(31)      COMMENT "session identifier passed as cookie = random string",
   `Token`      VARCHAR(31)      COMMENT "session identifier passed as cookie = random string",
   `WhenCreated` DATETIME        COMMENT "when session was created",
   `WhenCreated` DATETIME        COMMENT "when session was created",

Revision as of 02:41, 8 February 2011

About

  • History:
    • 2009-06-18 design started - first draft, not sure concept is right
    • 2009-07-10 each session ties to a cart, not vice-versa; Token is now a random string
    • 2011-02-07 fixing bug where user gets the same cart again after placing an order:
      • ID_Cart is now cleared when cart is converted to an order, so that same cart won't get reloaded
      • ID_Order field so we can still pull up the order when ID_Cart is cleared
      • Remember, this is the active cart. After cart is converted to an order, it is no longer active.
  • Relations:
  • Usage:
    • For now, we will be treating each "client" as having its own session which never expires. Having a separate class for the session, though, lets us decouple these things later on if we want to.
    • There should eventually be an "empty cart" button; if the user has not logged in, then that button should start a new session rather than clearing the cart for the current session.
  • Fields:
    • WhenClosed: if not NULL, then this session should not be reused (might be a different user returning to their cart, or might be the same user -- if no login, we have no way of telling, so take safest choice). If this session is accessed after the time of WhenExpires, code should manually set WhenClosed to NOW().

Security

I briefly toyed with the idea of only allowing the session to be set via http query within the secure area once and thereafter requiring it to come from a cookie, but anyone familiar with wget could spoof a cookie pretty easily, so this didn't seem worth the effort.

The real security comes from requiring that client's fingerprint (browser + IP address) "match" before authorizing renewal of a session for that client.

SQL

<section begin=sql /><mysql>DROP TABLE IF EXISTS `shop_session`; CREATE TABLE `shop_session` (

 `ID`          INT     NOT NULL AUTO_INCREMENT,
 `ID_Client`   INT     NOT NULL COMMENT "shop_client.ID",
 `ID_Cart`     INT DEFAULT NULL COMMENT "shop_cart.ID currently active for this session",
 `ID_Order`    INT DEFAULT NULL COMMENT "order ID to which cart was converted (if any)",
 `Token`       VARCHAR(31)      COMMENT "session identifier passed as cookie = random string",
 `WhenCreated` DATETIME         COMMENT "when session was created",
 `WhenExpires` DATETIME         COMMENT "when session was due to expire",
 `WhenClosed`  DATETIME         COMMENT "when the session was closed",
 PRIMARY KEY(`ID`),
 UNIQUE KEY(`Token`)
) ENGINE = MYISAM;</mysql>

<section end=sql />